Guidelines for Password ManagementPurposeThe purpose of this Guideline is to educate Carnegie Mellon University (“University”) students, faculty and staff on the characteristics of a Strong Password as well as to provide recommendations on how to securely maintain and manage passwords. Show Applies ToThis Guideline applies to all students, faculty and staff that have a username and password to at least one University system or application, independent of whether you are an end user or a system administrator for that system or application. DefinitionsA Strong Password is defined as a password that is reasonably difficult to guess in a short period of time either through human guessing or the use of specialized software. GuidelinesThe following are general recommendations for creating a Strong Password: A Strong Password should -
Strong Passwords do not -
The following are several recommendations for maintaining a Strong Password:
The following are Guidelines for individuals responsible for provisioning and support of user accounts:
The following are several additional Guidelines for individuals responsible for the design and implementation of systems and applications:
The following are additional Guidelines for system or service accounts - those not designed to be used by humans:
Additional InformationIf you have any questions or comments related to this Guideline, please send email to the University Information Security Office at . Additional information can also be found using the following resources:
Revision History
What is the length of the password?In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack.
What is the maximum length of characters to be used while defining the password?The maximum length of a password that a human user could actually type to log into Windows in 127 characters (the limitation is in the Windows GUI). 127 is probably quite impractical for a user to type, but might be good for admin accounts where passwords are checked out and copied and pasted from a password vault.
What is Password Policy in Windows?A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols.
What is string in password?A password is a string of characters used to verify the identity of a user during the authentication process. Passwords are typically used in tandem with a username; they are designed to be known only to the user and allow that user to gain access to a device, application or website.
|